Cyber Criminals Using Quantum Builder Sold on Dark Web to Deliver Agent Tesla Malware
Sep 28, 2022
A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT). "This campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past," Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a Tuesday write-up. Sold on the dark web for €189 a month, Quantum Builder is a customizable tool for generating malicious shortcut files as well as HTA, ISO, and PowerShell payloads to deliver next-stage malware on the targeted machines, in this case Agent Tesla . The multi-stage attack chain starts with a spear-phishing email containing a GZIP archive attachment that includes a shortcut designed to execute PowerShell code responsible for launching a remote HTML application (HTA) using MSHTA . The phishing emails purport to be an order confirmation message from a Chinese supplier of lump and rock sugar, with the LNK file masqueradin